Changeset 4752 for branches


Ignore:
Timestamp:
Jan 26, 2010, 10:13:37 AM (14 years ago)
Author:
plg
Message:

bug 1401 fixed: let's use the mysql_real_escape_string on POST fields (even if
I was not able to reproduce any attack because fields are heavily processed
before any SQL query).

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/search.php

    r3046 r4752  
    3636if (isset($_POST['submit']))
    3737{
     38  foreach ($_POST as $post_key => $post_value)
     39  {
     40    if (!is_array($post_value))
     41    {
     42      $_POST[$post_key] = mysql_real_escape_string($post_value);
     43    }
     44  } 
     45 
    3846  if (isset($_POST['search_allwords'])
    3947      and !preg_match('/^\s*$/', $_POST['search_allwords']))
     
    6472  if (isset($_POST['tags']))
    6573  {
     74    check_input_parameter('tags', $_POST['tags'], true, PATTERN_ID);
     75   
    6676    $search['fields']['tags'] = array(
    6777      'words' => $_POST['tags'],
     
    8393  if (isset($_POST['cat']))
    8494  {
     95    check_input_parameter('cat', $_POST['cat'], true, PATTERN_ID);
     96   
    8597    $search['fields']['cat'] = array(
    8698      'words'   => $_POST['cat'],
Note: See TracChangeset for help on using the changeset viewer.